[squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request

Eliezer Croitoru eliezer at ngtech.co.il
Thu Feb 22 18:56:44 UTC 2018 

I was wondering about the options to distinguish mobile devices TLS\SSL
requests compared to PC one's.
When I am running the next test:
https://www.ssllabs.com/ssltest/analyze.html?d=www.squid%2dcache.org&s=77.93
.254.178&latest

I am receiving a list of details about the compatibility of  specific
handshaking as listed:
Handshake Simulation
Android 2.3.7   No SNI 2		RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_128_CBC_SHA   DH 1024  FS
Android 4.0.4 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Android 4.1.1 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Android 4.2.2 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Android 4.3 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Android 4.4.2 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Android 5.0.0 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 1024  FS
Android 6.0 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 1024  FS
Android 7.0 	RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Baidu Jan 2015 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
BingPreview Jan 2015 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Chrome 49 / XP SP3 	RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_128_GCM_SHA256  No FS
Chrome 57 / Win 7  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Firefox 31.3.0 ESR / Win 7 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Firefox 47 / Win 7  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Firefox 49 / XP SP3 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Firefox 53 / Win 7  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Googlebot Feb 2015 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
IE 7 / Vista 	RSA 2048 (SHA256)   	TLS 1.0
TLS_RSA_WITH_AES_256_CBC_SHA  No FS
IE 8 / XP   No FS 1	  No SNI 2		RSA 2048 (SHA256)   	TLS
1.0 	TLS_RSA_WITH_3DES_EDE_CBC_SHA
IE 8-10 / Win 7  R		RSA 2048 (SHA256)   	TLS 1.0
TLS_RSA_WITH_AES_256_CBC_SHA  No FS
IE 11 / Win 7  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
IE 11 / Win 8.1  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
IE 10 / Win Phone 8.0 	RSA 2048 (SHA256)   	TLS 1.0
TLS_RSA_WITH_AES_256_CBC_SHA  No FS
IE 11 / Win Phone 8.1  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA256  No FS
IE 11 / Win Phone 8.1 Update  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
IE 11 / Win 10  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Edge 13 / Win 10  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Edge 13 / Win Phone 10  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Java 6u45   No SNI 2		RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_128_CBC_SHA   DH 1024  FS
Java 7u25 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_128_CBC_SHA   DH 1024  FS
Java 8u31 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 1024  FS
OpenSSL 0.9.8y 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
OpenSSL 1.0.1l  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
OpenSSL 1.0.2e  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
Safari 5.1.9 / OS X 10.6.8 	RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Safari 6 / iOS 6.0.1 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 1024  FS
Safari 6.0.4 / OS X 10.8.4  R		RSA 2048 (SHA256)   	TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DH 1024  FS
Safari 7 / iOS 7.1  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 1024  FS
Safari 7 / OS X 10.9  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 1024  FS
Safari 8 / iOS 8.4  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 1024  FS
Safari 8 / OS X 10.10  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   DH 1024  FS
Safari 9 / iOS 9  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Safari 9 / OS X 10.11  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Safari 10 / iOS 10  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Safari 10 / OS X 10.12  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Apple ATS 9 / iOS 9  R		RSA 2048 (SHA256)   	TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Yahoo Slurp Jan 2015 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
YandexBot Jan 2015 	RSA 2048 (SHA256)   	TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS


And I was wondering if there is an option to distinguish between these
requests and to maybe enhance SSL-BUMP with some kind of "option" based on
this.

Other options I have seen that helps to distinguish a mobile client compared
to a non-mobile one is by the domain name in the SNI and also by the default
response to a client request simulation.
Any ideas?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

More information about the squid-dev mailing list